from the good-move dept

Last week, we wrote about Microsoft's ridiculous decision to search through a reporter's Hotmail email account after realizing that reporter had an unauthorized copy of Windows 8. The whole thing seemed like a huge overreaction by the company -- in trying to track down an almost meaningless leak that was unlikely to have any real impact on anything, the company effectively alerted the world that you had no real privacy in your email. The move was even more ridiculous since Microsoft has more or less bet its email farm on a marketing campaign about how it respects your privacy more than others. Microsoft's first response to this was exceptionally weak. While it announced a "change" in policies, it was still the same basic policy, that effectively (and misleadingly) claimed that it could and would continue to search anyone's email if the company had evidence that you might reveal a leaker.

Apparently -- and somewhat surprisingly -- it appears that Microsoft and its legal team took the criticism seriously. Microsoft's General Counsel Brad Smith has now put out a new blog post announcing a complete change in policy, promising that it will not unilaterally look through any Microsoft user's content in search of "stolen" intellectual property:

Effective immediately, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property from Microsoft, we will not inspect a customer’s private content ourselves. Instead, we will refer the matter to law enforcement if further action is required.

Furthermore, the company will officially change its terms of service to reflect that change in policy. On top of that, it is starting a (somewhat undefined) project with EFF and CDT to work on "best practices" concerning privacy. Smith's apology is quite heartfelt, which is also rare from a big company:

It’s always uncomfortable to listen to criticism. But if one can step back a bit, it’s often thought-provoking and even helpful. That was definitely the case for us over the past week. Although our terms of service, like those of others in our industry, allowed us to access lawfully the account in this case, the circumstances raised legitimate questions about the privacy interests of our customers.

In part we have thought more about this in the context of other privacy issues that have been so topical during the past year. We’ve entered a “post-Snowden era” in which people rightly focus on the ways others use their personal information. As a company we’ve participated actively in the public discussions about the proper balance between the privacy rights of citizens and the powers of government. We’ve advocated that governments should rely on formal legal processes and the rule of law for surveillance activities.

While our own search was clearly within our legal rights, it seems apparent that we should apply a similar principle and rely on formal legal processes for our own investigations involving people who we suspect are stealing from us. Therefore, rather than inspect the private content of customers ourselves in these instances, we should turn to law enforcement and their legal procedures.

Personally, I wish the announcement and policy change went a bit further -- beyond just "intellectual or physical property," but making it clear across the board that, absent a reasonable warrant signed by a judge, Microsoft will not allow anyone to access anyone's content. But, perhaps we'll get there some day. In the meantime, Microsoft does deserve some kudos for changing positions. Most large companies would try to just let this issue fade away rather than proactively address it.

Recheck facts

Your read on this case, Mike, is a bit off. It had nothing to do with a copy of Windows 8, but source code relating to the Volume Activation mechanics in Windows 8/Server 2012. This is a REALLY BIG DEAL to people like me running open activation systems that would then be exploitable. They made a promise to other customers, paying customers, that they would do everything in their power to keep that code secure.

How they did it is one thing, and you can be against that, but claiming that they did not have a VERY good reason for doing so is intellectually dishonest.

Re: Re: Recheck facts

They had no legal options, they did explore them and described them in detail. Because of the CFAA, email on a server belongs to the company that owns the server, not the user or any 3rd party. You cannot legally subpoena property or information that you yourself own.

This is a MAJOR flaw in the US legal system, and Google/Apple/Facebook would be forced to do this the same way in similar circumstances. Except they don't have enterprise customers that they have contracts with to secure their code, so they aren't as worried about this issue and are using it to attack microsoft.

There is a techdirt article from years back of Google doing the same thing (to Gchat messages) when one of their engineers was abusing his access to communicate with minors. They had no issue looking through the mis-accessed accounts to confirm that.

Get your reps to change the CFAA and make information you create, stored at a 3rd party your own property. Otherwise, cloud storage providers will ALWAYS be forced to use only internal policies to decide these matters.

Re: Re: Re: Recheck facts

They had no legal options, they did explore them and described them in detail. Because of the CFAA, email on a server belongs to the company that owns the server, not the user or any 3rd party. You cannot legally subpoena property or information that you yourself own.

Now it is you who should recheck the facts. That was Microsoft's story but it was misleading. What they could have done -- and what they now admit they will do in the future -- is simply hand over the basic info they have to law enforcement. Law enforcement absolutely can go seek a warrant for that information if it has credible evidence that the information will reveal criminal behavior.

Re: Re: Re: Re: Recheck facts

Actually, for a change, I'm not sure that Microsoft actually intended to mislead on that point. However, at least they have admitted that they screwed up big-time here, and are showing some willingness to change here, which, if I'm honest, has surprised me.

We should continue to applaud positive interactions whilst denigrating those actions which lead to these situations.

Re: Re: Re: Re: Re: Recheck facts

Microsoft don't require the warrant if they send it to law enforcement.. LEO's require the warrant to comply with all legal and evidential procedure and allow that evidence (if any) to be obtained via legal, unbiased and appropriate means.

The warrant is handed to the company but it is actually a warrant to AUTHORISE the acquirement of the evidence by the LEO's not by the company.

Re: Re: Re: Re: Re: Re: Recheck facts

Companies and people hand over evidence all the time without a warrant, so I'm not sure what your point is. A warrant is for an unauthorized search. This search was already authorized.

I really don't understand why this group would rather have cops searching through Hotmail than MS. Seems that every other story about the government searching emails has this site up in arms, but when MS does it you run back to the government. So weird.

Re: Re: Re: Re: Re: Re: Re: Recheck facts

There is the small matter of probable cause and getting a warrant. This is a quaint old practice that requires whoever wants to carry out a search to explain why they want to carry out a search, what they are looking for, and getting the judge to approve the search.

Re: Re: Re: Re: Re: Re: Re: Re: Re: Recheck facts

Legally maybe, but there is a difference between me searching my own data, and Microsoft searching other peoples data and using it against them. Their email business relies on a degree of trust, and what they did betrays that trust. Most people would accept the handing of the problem over to the LEOs. It is also different from an employer looking at emails sent by an employees using the companies system. That is one option that Microsoft could have exercised, despite it requiring looking at all their employees emails. Further what Microsoft did is different from Google's algorithmic search of emails to decide what adverts to serve someone.

Re: Re: Re: Re: Re: Re: Re: Recheck facts

down below in reply to another of your posts I explained why this is wrongful in both a criminal and civil case.

The search was not authorised in any way whatsoever, it wasn't even authorised under MS's own WRITTEN policy and therefore is at minimum forfeiture of contract by themselves.

The reason why people want LEO's searching through things for criminal and civil tort purposes is called due process. It is designed to allow transparency and the use of un-biased parties that have no axe to grind.

Or do you in your practice as a Sys engineer go searching all logs for pertinent passwords and other identifiers of all clients that use your systems because your feelings might be hurt or you somehow assume that something wrongful might of occurred? If so you should be sacked and criminally prosecuted if not.. well why are you so aghast at people questioning MS doing nearly exactly the same thing.

Re: Re: Re: Re: Recheck facts

That's a fair point, but I'm not 100% sure its a better solution. I think they already hand over too much information to law enforcement. Microsoft at least has an incentive to only look at pertinent information and to scrub it when they're done. Law enforcement has no such incentive. I think the obvious solution is a neutral 3rd party or a Cloud Services regulatory board to handle sensitive issues like this.

I think a lot of the outrage towards this is because people don't understand how big a deal this is to Microsoft's biggest customers, both OEMs and EAs. They had to do something, and they did, they just didn't have a good solution on hand and guessed wrong.

Re: Re: Re: Recheck facts

If the information is going to be used in a criminal matter where you are classified as the victim then THE ONLY way to do this is to allow LEO's the ability to run the whole thing.

That's what criminal investigations are for. That's why Victims and witness's play no part in investigations other than giving statements and facts that are requested. If they give information on their own behest then that information if it is to become evidence has to be verified as correct. The informant (in this regard the victim) has too much of a bias for this to not occur.

A warrant/subpoena is not just to obtain evidence. It is the procedural correct way of allowing that evidence to be properly obtained by the appropriate parties for ALL sides. Otherwise anarchy reigns and rules of evidence goes out the window and hearsay is fully allowed in criminal matters.

Civil cases on the other hand are different though the same problems of bias, relevance, authenticity and probity also crop up with discovery. This is why it is always best practice to allow outside third parties that have no other interests in analysing, obtaining, and preserving this sort of volatile data.

Microsoft were trying to enact a criminal investigation internally being judge, jury and executioner. That's wrong both legally and ethically anywhere.

As for their statement of "While our own search was clearly within our legal rights", that is blatantly false in the context of what they were planning to use that evidence from the search for.

Re: Recheck facts

This is a REALLY BIG DEAL to people like me running open activation systems that would then be exploitable.

You statement suggests that you are relying on the trustworthiness of a company that demonstrated that trust may be misplaced.Security via obscurity is no security, and allows NSA back-doors to be built in.

Re: Re: Recheck facts

That's a BS argument. Exploits come from bugs, having access to source allows you to find bugs. Or workarounds. And yes, we are reliant on Microsoft OS's in the enterprise because there isn't another option. I know you are about to explain to me how Linux can do it, but I'm an Enterprise Architect and you aren't, and you're wrong.

Re: Re: Re: Recheck facts

Lol, you pay a lot for your Microsoft certificates so your just massaging your ego there because you were a fool to go along the ms path as was 90% of the world. If you want secure you use Unix/BSD and not Linux, your right!

Windows sucks and always as done from 95... I didn't find 3.11 too bad but I didn't move from dos for a long time because I didn't like the direction things were going. Since then I've been proven tight year after year!

Re: Re: Re: Re: Recheck facts

This is a VERY long conversation, but a lot of it comes down to 3 things: Manageability, supportability, and cost to confirm (testing).

Manageability: making environment wide changes (and confirming they were successful) is very difficult in an enterprise linux environment, and prone to failure. Getting better every day, but not there yet and the least of the issues.

Supportability: Not that its necessarily harder, but it is WAY more expensive to pay a Linux systems analyst to do workstation support than it is to pay a tech support monkey with a HS education. Scale that out to 1000+ IT people, and its a multi-million dollar problem.

Confirmation/Testing: This is a lot more nuanced, and really only affects the ultra-large enterprises, but having a consistent code base among your 100 000+ computers in a large enterprise has economies of scale when testing new rollouts that is impossible to replicate in a package-based environment. It comes down to man-hours required to test changes under an ITIL/COBIT managed environment. Again, efforts are being made (successfully) to nullify this problem, but it still exists.

Re: Re: Re: Re: Re: Re: Recheck facts

Basically, yes, but its a massive gulf right now. Some organizations can get away with it because of their skillsets, but its hard to sustain and they have trouble hiring.

The U of A where I worked has a large OSS infrastructure, that I helped manage, and its hard to hire good people to support it. They manage it, but it would be impossible to scale it out to the desktop for 800 end user IT people, 10 000 staff and 45 000 students in the computer labs. In contrast, the EA agreement is only low 7 figures for all their MS licensing.

Its changing, and it will likely be a completely different ballgame in 10 years, but its not really a contest at my level.

Re: Re: Re: Re: Re: Re: Re: Re: Recheck facts

You missed the point - that, for the longest time, it was far easier, both in economic and in training-hours terms, to train people up for Enterprise Windows solutions. This is changing, to be sure, but it's not quite at the tipping point.

Remember that Linux was, and still is to a degree, not as user-friendly as Windows to the layperson. You can put a person down in front of Windows (even Windows 8) and talk them through how it works, then leave them to it and get the work done. IF something goes wrong, you can call for help from most people relatively easily. For Linux, sadly, not so much.

Re: Re: Re: Re: Re: Re: Recheck facts

This would be true if software licensing was anything but a drop in the bucket for an organization's IT budget. Also, Microsoft at least gives a ton of free consulting hours with large EAs. Every organization has a mix of open and closed source stuff but the licensing costs don't determine what's most expensive, ease of update is. We get dinged by our auditors if our software isnt up to date, and the ease of transition that closed source stuff usually has (except ERP stuff and Oracle) offsets the cost of the license.

Its complicated, but man hours, power, user hardware, user training and consulting make up the bulk of an IT budgets. Training 100 000 users on something new costs WAY more than licensing 100 000 windows workstations at 60 bucks a pop. And don't get me started on migrating from Office.....

Re: Re: Re: Re: Re: Recheck facts

Re: Re: Re: Recheck facts

That's a BS argument. Exploits come from bugs, having access to source allows you to find bugs.

Which is how all those exploits used to attack Windows systems have been found!!.Almost all exploits are found by calling routines with bad parameters, such as overlong strings, out of range indexes etc. If the program crashes, they can then try the various ways of using the bug. Very few exploits are found by either access to the source code, or reverse engineering the binaries.

Re: Re: Recheck facts

I have to disagree, and I'm a lot more qualified to make that argument. If VLM code gets into the wild that has MASSIVE implications for all of their biggest customers. I run a 150k user AD environment right now, and we would have had to make large, high impact changes to our activation model if the activation code was under threat.

Its my job to be VERY aware of whats going on here, and even though I personally hate that they did this, professionally i have to stand with them, and thats why they did it.

Re: Re: Re: Recheck facts

" I'm a lot more qualified to make that argument"

I just have to chime in here, since this is at least the second time you've mentioned how much more qualified you are than everyone else here. First, I doubt that's true -- there are a lot of commenters here that have quite a lot of experience in this exact thing.

Regardless, you are engaging in a logical fallacy -- appeal to authority. It means absolutely nothing, and gains you no credibility. You'd be better off actually explaining the facts and reasoning behind your opinion rather than simply saying "I'm an expert, so everything I say must be true."

Re: Re: Recheck facts

To further obfuscate, a better solution might be to go back to the honor-system activation model and then this wouldn't be such a big problem, but that's a completely separate argument that I think you and I would agree on.

Re:

Great, maybe your friends at Google will pay heed.

Not sure what kind of "gotcha" you think you're making here, but I agree that I hope Google does the same. I hope that all tech companies that offer cloud-like services will make this sort of thing standard and think its ridiculous that they did not do so from the beginning.

Re:

After attacking Mike over one thing, I have to step in here and defend him. He is a friend of the general public, not Google. It's just that in a lot of ways Google has aligned incentives with the public because their business model is public trust (to a large degree). Microsoft's interests are aligned with their Enterprise customers and OEMs where the bulk of their revenues come from. So it might look like he's a Google supporter, but really issue by issue he agrees with them more often than MS.

This is changing as Google becomes more attracted to Enterprise revenues (very stable), and MS becomes more consumer focused. As their incentives drift towards each other their behavior will become more similar and Mike will hate on them equally (or cash twice the shill checks as you seem to think)

have to agree with blacktron

While it rather pains me to say so. I have to agree with blaktron on the management issue. MS products have a huge support base irregardless of the degree of skill. Alternative systems, yes including Mac, do not have the same pool of workers to choose from. That large pool keeps the salaries lower than skilled Unix and Linux support which has a *much* smaller group to hire from.

There's one other problem that no one has touched so far, business or logistical software. Often times these products are platform specific, usually Windows, and there *is* no alternative to them.

Whether or not your business IT people 'trust' Microsoft or not is no longer a question in that situation. You lock down as much as you can and hope it's enough to keep out *most* prying eyes.

Re: have to agree with blacktron

There is the problem that staying with Microsoft only lets them increases the lock in they have on your computer systems, and the control that they exercise on the software that you can run. The more they can lock you in to their software in the more they can charge you to allow you to run your business.

Any port in a shit storm

As sincere as the statement sounds, it is still Microsloth and I'm certain that the only thing that has changed is the manner in which they lie to the public.

Its more sincere sounding now.

But, its still a lie.

MS will always do as it pleases first and attempt PR afterwards, but only if it feels the PR skit might have some chance of successfully fooling the public, or if it thinks its absolutely necessary - like this time, since they're hoping to prevent a mass customer exodus.

Normally it would just weather this shit storm for the period of consumer memory - a couple weeks - and then pretend it never happened, but the off-hand manner in which they violated their own privacy agreement, as if it simply did not exist, really spooked the public.

Re:

I ditched Windows for Linux completely about 10 years ago. The transition period was a little painful then, but once you've made the move, there are no issues. Even that transition is much easier now I've guided a number of non-techie people away from Windows recently, and nobody had any problem.

The one exception remains gaming, but even that is getting to be a smaller and smaller exception as time goes by.

Given the details of the Electronic Communications Privacy Act, no US company can give you the same rights over your email that you would have if you keep it yourself in your own server. The ECPA does not apply to companies in other countries, but you probably have even less rights with those governments.

Happy to find your blog

This blog is awesome, I like this post. It’s really a great and helpful piece of info. I am glad that you shared this helpful info with us. You can also visit Enterprise Architecture Consulting Services for consulting services.